Several major companies have published security advisories in response to the recently disclosed Intel CPU vulnerability named Downfall.
Discovered by Google researchers and officially tracked as CVE-2022-40982, Downfall is a side-channel attack method that allows a local attacker — or a piece of malware — to obtain potentially sensitive information such as passwords and encryption keys from the targeted device.
Cloud environments are also impacted and it may be possible to launch remote attacks via a web browser, but more research is needed to demonstrate such an attack.
Intel Core and Xeon processors released over the past decade are impacted. The chip maker is releasing firmware updates, as well as mitigations, in response to the vulnerability.
The flaw impacts memory optimization features in Intel processors and the attack leverages two techniques dubbed Gather Data Sampling (GDS) and Gather Value Injection (GVI).
The GDS method has been described as “highly practical” and Google researchers created a proof-of-concept (PoC) exploit that can steal encryption keys from OpenSSL.
Several organizations have released advisories in response to the Downfall vulnerability since its disclosure on August 8.
The OpenSSL Project published a blog post this week pointing out that while the Downfall attack has been demonstrated against OpenSSL, it’s “highly general microarchitectural side-channel attack which can compromise the security of essentially any software”.
“Because OpenSSL provides accelerated implementations of many cryptographic primitives using x86 SIMD instructions, if an attacker executes an attack using this vulnerability on a process performing cryptographic operations using OpenSSL, there is an elevated risk that the information they are able to extract will include cryptographic key material or plaintexts, as this material is likely to have been recently processed in the victim process using SIMD instructions. In other words, the risk to key material or other cryptographic material is particularly high,” the OpenSSL Project explained.
AWS, Microsoft Azure, Google Cloud
AWS said its customers’ data and cloud instances are not affected by Downfall and no action is required. The cloud giant did note that it has “designed and implemented its infrastructure with protections against this class of issues”.
Microsoft said it rolled out updates to its Azure infrastructure to patch the vulnerability. In most cases — except customers that have opted out of automatic updates — users do not need to take any action.
Google Cloud also said no customer action is required. The company has applied available patches on its server fleet. However, some products require additional updates from its partners or vendors.
Cisco said its UCS B-Series M6 blade servers and UCS C-Series M6 rack servers use Intel CPUs that are vulnerable to Downfall attacks.
Citrix has published an advisory informing customers that CVE-2022-40982 only impacts Citrix Hypervisor when running on vulnerable Intel CPUs.
Dell has released BIOS patches for Alienware, ChengMing, G series, Precision, Inspiron, Latitude, OptiPlex, Vostro, and XPS computers.
HP has started releasing SoftPaqs that address Downfall for its business and consumer PCs, workstations, and retail PoS systems.
Lenovo has started releasing BIOS updates that address the vulnerability for its desktops (including all-in-one), notebooks, laptops, servers and appliances.
NetApp said multiple products incorporate Intel chips and it’s working on determining which of them are impacted. To date it has confirmed that some AFF and FAS storage systems are affected, but several products are still being analyzed.
The cloud giant OVH has confirmed that Downfall impacts OVHcloud products. The company has summarized the steps it has taken and the actions that administrators need to conduct in response to the vulnerability.
SuperMicro released a security bulletin to inform users about recent Intel firmware patches, including for Downfall, and said it has developed a BIOS update in response to the vulnerabilities.
VMware informed customers that hypervisors may be affected by CVE-2022-40982 if they are using an impacted Intel CPU, but hypervisor patches are not needed to address the vulnerability. Instead, impacted customers need to obtain firmware updates from their hardware vendors.
Xen said all versions of its hypervisor are affected if running on devices with vulnerable Intel CPUs. In addition to recommending firmware updates from hardware vendors, the organization has provided mitigations, but warned that they could significantly impact performance.